`
`BRIAN M. BOYNTON, Acting Assistant Attorney General, Civil Division
`ARUN G. RAO, Deputy Assistant Attorney General
`GUSTAV W. EYLER, Director, Consumer Protection Branch
`LISA K. HSIAO, Assistant Director
`ZACHARY A. DIETERT
`DAVID G. CROCKETT
` Trial Attorneys
` Consumer Protection Branch
` Civil Division, U.S. Department of Justice
` 450 5th Street, NW, Suite 6400-South
` Washington, D.C. 20530
` Telephone: (202) 616-9027 (Dietert)
` (202) 305-7196 (Crockett)
` Facsimile: (202) 514-8742
` Zachary.A.Dietert@usdoj.gov
` David.G.Crockett@usdoj.gov
`
`
`Attorneys for Plaintiff
`UNITED STATES OF AMERICA
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE CENTRAL DISTRICT OF CALIFORNIA
`WESTERN DIVISION
`
`
`
`
`
`
`
`
`Case No. 2:21-cv-09693
`
`COMPLAINT FOR PERMANENT
`INJUNCTION, CIVIL
`PENALTIES, AND OTHER
`RELIEF
`
`
`UNITED STATES OF AMERICA,
`
`
`Plaintiff,
`
`
`
`
`OPENX TECHNOLOGIES, INC.,
`a Delaware Corporation,
`
`
`v.
`
`
`
`
`Defendant.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 2 of 16 Page ID #:2
`
`
`
`Plaintiff, the United States of America, acting upon notification and
`
`
`authorization to the Attorney General by the Federal Trade Commission (“FTC” or
`
`
`“Commission”), for its Complaint alleges that:
`
`
`1.
`Plaintiff brings this action under Sections 5(a)(1), 5(m)(1)(A), 13(b),
`
`
`and 16(a) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a)(1),
`
`
`45(m)(1)(A), 53(b), and 56(a); and Sections 1303(c) and 1306(d) of the Children’s
`
`
`Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6502(c) and
`
`
`6505(d), to obtain monetary civil penalties, a permanent injunction, and other
`
`
`equitable relief for Defendant’s violations of Section 5 of the FTC Act and the
`
`
`Commission’s Children’s Online Privacy Protection Rule (“Rule” or “COPPA
`
`
`Rule”), 16 C.F.R. Part 312.
`
`
`
`JURISDICTION AND VENUE
`
`
`2.
`Defendant OpenX Technologies, Inc. (“OpenX”) is a Delaware
`
`
`corporation, with its principal place of business in Pasadena, California.
`
`
`3.
`OpenX transacts or has transacted business in the Central District of
`
`
`California.
`
`
`4.
`This Court has subject matter jurisdiction pursuant to 28 U.S.C.
`
`
`§§ 1331, 1337(a), 1345, and 1355, and under 15 U.S.C. §§ 45(m)(1)(A), and 56(a).
`
`
`5.
`Venue in the Central District of California is proper under 15 U.S.C.
`
`
`§ 53(b) and 28 U.S.C. §§ 1391(b)(1), (b)(2), (c)(2), and (d).
`
`
`COMMERCE
`
`
`6.
`At all times material to this Complaint, OpenX has maintained a
`
`
`substantial course of trade in or affecting commerce, as “commerce” is defined in
`
`
`Section 4 of the FTC Act, 15 U.S.C. § 44.
`
`SECTION 5 OF THE FTC ACT
`
`
`7.
`
`Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits unfair and
`
`
`deceptive acts or practices in or affecting commerce.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 2 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 3 of 16 Page ID #:3
`
`
`
`THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT
`
`
`8.
`Congress enacted COPPA in 1998 to protect the safety and privacy of
`
`
`children online by prohibiting the unauthorized or unnecessary collection of
`
`
`children’s personal information online by operators of Internet Web sites and online
`
`
`services. COPPA directed the Commission to promulgate a rule implementing
`
`
`COPPA. The Commission promulgated the COPPA Rule, 16 C.F.R. Part 312, on
`
`
`November 3, 1999, under Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and
`
`
`Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553. The Rule went into
`
`
`effect on April 21, 2000. The Commission promulgated revisions to the Rule that
`
`
`went into effect on July 1, 2013. Pursuant to Section 1303(c) of COPPA, 15 U.S.C.
`
`
`§ 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57(a)(d)(3), a violation
`
`
`
`of the Rule constitutes an unfair or deceptive act or practice in or affecting
`
`
`commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
`
`
`9.
`The Rule applies to any operator of a commercial Web site or online
`
`
`service directed to children under 13 years of age (which includes operators of online
`
`
`services with actual knowledge that they are collecting personal information directly
`
`
`from users of another Web site or online service directed to children), or any operator
`
`
`that has actual knowledge that it is collecting or maintaining personal information
`
`
`from a child under 13 years of age. 16 C.F.R. § 312.3. The definition of “personal
`
`
`information” includes, among other things, “geolocation information sufficient to
`
`
`identify street name and name of a city or town,” and a “persistent identifier that can
`
`
`be used to recognize a user over time and across different Web sites or online
`
`
`services,” such as a “customer number held in a cookie, an Internet Protocol (IP)
`
`
`address, a processor or device serial number, or unique device identifier.” 16 C.F.R.
`
`
`§ 312.2.
`
`
`10. Among other things, the Rule requires subject operators to meet specific
`
`
`requirements relating to collecting, using, or disclosing personal information from
`
`children, including but not limited to:
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 3 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 4 of 16 Page ID #:4
`
`
`
`a. Obtaining verifiable parental consent prior to collecting, using, or
`
`
`disclosing personal information from children (16 C.F.R. § 312.5);
`
`
`and
`
`
`b. Posting a prominent and clearly labeled link to an online notice on its
`
`
`Web site or online service providing clear, understandable, and
`
`
`complete notice of its information practices, including what
`
`
`information the operator collects from children online, how it uses
`
`
`such information, its disclosure practices for such information, and
`
`
`other specific disclosures set forth in the Rule (16 C.F.R. § 312.4).
`
`
`11. For purposes of this Complaint, the terms “child,” “collects,”
`
`
`“collection,” “disclose or disclosure,” “Internet,” “operator,” “parent,” “personal
`
`
`
`information,” “verifiable parental consent,” and “Web site or online service directed
`
`
`to children,” are defined as those terms are defined in Section 312.2 of the COPPA
`
`
`Rule, 16 C.F.R. § 312.2.
`
`
`THE OPENX AD EXCHANGE
`
`
`12. OpenX operates a programmatic advertising exchange that helps
`
`
`publishers of Web sites and mobile applications (“Apps”) monetize their properties
`
`
`through advertising.
`
`
`13. Programmatic advertising is the automated method of trading ads online
`
`
`in a mobile environment. OpenX provides a real-time bidding platform where it
`
`
`essentially conducts auctions for ad space.
`
`
`14. OpenX contracts with publishers whose Web sites and Apps send ad
`
`
`requests to OpenX using an OpenX software development kit (“SDK”) or another
`
`
`type of technical integration. The OpenX Android SDK and iOS SDK are code
`
`
`components that are integrated with the Apps that allow OpenX to collect data from
`
`
`the consumer’s device and facilitate the display of ads within the Apps.
`
`
`15. OpenX also contracts with advertising technology companies
`
`(“Networks”) that aggregate and sell advertising inventory for publishers and send ad
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 4 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 5 of 16 Page ID #:5
`
`
`
`requests to the OpenX Ad Exchange.
`
`
`16. OpenX describes itself as the largest independent advertising exchange,
`
`
`with over 1,200 premium publishers, at least 50,000 mobile Apps, and tens of
`
`
`thousands of demand-side partners (i.e., buyers of ad inventory consisting of
`
`
`advertisers, advertising agencies, and advertising networks) participating in the
`
`
`exchange.
`
`
`17. Programmatic advertising enables advertisers and their agents to select
`
`
`among criteria to deliver targeted messages to preferred audiences. OpenX manages
`
`
`the competing bids submitted by the bidding entities and facilitates the display of an
`
`
`ad associated with the winning bid.
`
`
`18. The OpenX Ad Exchange supports a variety of targeting criteria used by
`
`
`
`publishers and advertisers to identify ad space where buyers want ads to be served.
`
`
`19.
`“Targeting” involves the collection of data about consumers and their
`
`
`devices, including mobile phones. OpenX’s business relies on collecting data that its
`
`
`partners want to use to learn about consumers and maximize the buyers’ advertising
`
`
`dollars.
`
`
`20. An ad request is a set of data fields that OpenX collects from an App
`
`
`when the App requests an ad to be shown. On a daily basis, OpenX processes nearly
`
`
`100 billion ad requests.
`
`
`21. A bid request includes the information from the ad request that OpenX
`
`
`forwards to buyers, in order to trigger an automated real-time auction on the OpenX
`
`
`Ad Exchange among buyers that want to serve an ad to the requesting Web site or
`
`
`App.
`
`
`22. The information received in the ad request and transmitted in a bid
`
`
`request is used by buyers to determine whether they want to bid on the ad space, how
`
`
`much they want to bid, and what kind of ad to display in the App. Buyers, also
`
`
`referred to as OpenX’s “demand-side partners,” include advertisers and service
`
`providers that work on behalf of advertisers, such as advertising agencies and
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 5 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 6 of 16 Page ID #:6
`
`
`
`advertising networks.
`
`
`23. OpenX promotes itself as the highest quality programmatic advertising
`
`
`marketplace, and seeks to attract participants with claims that it employs a dual
`
`
`human and technology approach to traffic quality. According to OpenX, it has the
`
`
`only traffic quality team in the industry that conducts a human review of each Web
`
`
`site or App that sends ad requests, to ensure compliance with OpenX’s supply
`
`
`policies and to accurately classify the subject matter of all Web sites and Apps for
`
`
`the benefit of its demand-side partners.
`
`
`ANDROID AND iOS PERMISSION-BASED SYSTEMS
`
`
`24. The Android and iOS operating systems provide App developers with
`
`
`application programming interfaces (“APIs”) that facilitate the collection of data
`
`
`
`about consumers and their devices.
`
`
`25.
`In order to access certain data from a device, these operating systems
`
`
`require App developers to obtain a consumer’s consent through “permissions,” which
`
`
`involve notifying the consumer about the sensitive information (e.g., the consumer’s
`
`
`location or contacts) or sensitive device functionality (e.g., the device’s camera or
`
`
`microphone) that the App would like to access.
`
`
`26. Through these permission-based systems, consumers can manage
`
`
`privacy settings and exercise control over certain data when using their mobile
`
`
`devices. The setting options are determined by the platforms, and can vary across
`
`
`devices and platform versions.
`
`
`27. Apps request consent to access location data using a permission dialog
`
`
`box (i.e., a pop-up notification) that prompts the user to allow or deny access to his
`
`
`or her location data. In addition to these App notifications, Android and iOS provide
`
`
`consumers with system settings to restrict access to their location data. Through these
`
`
`settings, the consumer can prevent all or specific applications from accessing the
`
`
`location API.
`
`28. OpenX advises publishers to include location permissions when
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 6 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 7 of 16 Page ID #:7
`
`
`
`integrating the OpenX SDKs with their Apps to enable OpenX to collect location
`
`
`data if the consumer grants access.
`
`
`29. Publishers provide notice to consumers regarding what data the
`
`
`properties, e.g., Web sites and Apps, they are using collect, based on the permissions
`
`
`they incorporate. These representations can be found in the privacy policies
`
`
`disseminated by the publishers.
`
`
`30. The Android and iOS operating systems consider GPS coordinates—
`
`
`latitude and longitude—and the basic service set identifier (“BSSID”) to be precise
`
`
`location data that should only be accessed if the requisite location permissions are
`
`
`granted by the consumer.
`
`
`31. The BSSID is a 12-digit code that uniquely identifies a wireless access
`
`
`
`point, such as a specific router. It corresponds to a physical location. The BSSID is
`
`
`also known as the hardware MAC address for a wireless access point, WiFi MAC
`
`
`address, or router MAC address.
`
`
`32. The BSSID is capable of being used to identify a device’s location with
`
`
`the same or better precision than GPS coordinates transmitted by the mobile device.
`
`
`33.
`In recognition of the sensitive nature of the BSSID, Android and iOS
`
`
`have applied increasingly restrictive permissions to protect the BSSID over the years.
`
`
`OPENX’S COLLECTION OF LOCATION DATA
`
`
`34. OpenX’s privacy policies over the years, including its privacy policy
`
`
`effective May 25, 2018, explain how OpenX collects, uses, and discloses
`
`
`information, and consumers’ choices for managing their information preferences.
`
`
`OpenX has stated:
`
`This Privacy Policy explains how OpenX Software Ltd. and its
`
`subsidiaries . . . collect, use, and disclose information, and your
`
`choices for managing your information preferences.
`
`Opting Out for Location Data: You may opt out of our
`
`collection, use, and transfer of precise location data by using the
`
`location services controls in your mobile device’s settings.
`
`
`
`
`
`OpenX Technologies, Inc. is a wholly-owned operating subsidiary of OpenX
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 7 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 8 of 16 Page ID #:8
`
`
`
`Ltd., which is a wholly-owned subsidiary of OpenX Software Ltd.
`
`
`35. This information has also been shared on a standalone page providing
`
`
`consumers with their choices for opting out of certain collection, use, and transfer of
`
`
`data. OpenX’s Web site home page contains a persistent footer link titled “Interest-
`
`
`Based Advertising” that takes consumers directly to the standalone page.
`
`
`36. Contrary to OpenX’s statements, OpenX collected precise location data,
`
`
`i.e., BSSIDs, from consumers who opted out of such collection.
`
`
`37.
`In 2018, it was discovered that, notwithstanding OpenX’s inclusion of
`
`
`location permissions in the OpenX Android SDK code, OpenX used a backdoor
`
`
`method to retrieve the BSSID. Under circumstances where a user had not granted, or
`
`
`had outright denied, the requisite location permissions, OpenX accessed the BSSID
`
`
`
`from a file that stores the ARP cache, instead of using the sanctioned method of
`
`
`accessing the BSSID using the location API.
`
`
`38. Soon after the discovery, Google notified OpenX that its Android SDK
`
`
`was acquiring location data using the BSSID in a non-sanctioned manner that
`
`
`violated Google’s Device and Network Abuse Policy, and that Apps that included the
`
`
`OpenX Android SDK code had been removed from the Google Play store.
`
`
`39. OpenX responded by updating the Android SDK code, and informed all
`
`
`of the publishers who had integrated it, or who had received OpenX Android SDK
`
`
`documentation, of the necessity to update their Apps with the new version of the
`
`
`Android SDK.
`
`
`40. But even if publishers updated their Apps, OpenX could still collect the
`
`
`BSSID from the ARP cache through existing code in Apps that was previously
`
`
`installed on consumer devices that consumers did not update.
`
`
`41. The command for collecting the BSSID from the ARP cache was
`
`
`included in every version of the OpenX Android SDK available from September
`
`
`2012 to October 2018.
`
`42. OpenX transmitted the BSSID to numerous third parties, including
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 8 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 9 of 16 Page ID #:9
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`location data brokers, advertisers, advertising agencies, and advertising networks.
`
`
`43. The OpenX Android SDK has been integrated into nearly two hundred
`
`
`Apps, including popular Apps that have been downloaded billions of times by
`
`
`consumers.
`
`
`44. As a result of OpenX’s practices, publishers provided incorrect
`
`
`information to consumers regarding their Apps’ privacy practices. Indeed, App
`
`
`developers that have integrated the OpenX SDK represented to consumers in their
`
`
`privacy policies that consumers had the ability to control the collection and use of
`
`
`location data through their Apps and through their device location settings,
`
`
`notwithstanding the fact that OpenX collected the BSSID from their devices without
`
`
`consent.
`
`
`
`45. OpenX did not have a regular practice of examining its data collection
`
`
`practices, assessing whether there was a justification or need for collecting various
`
`
`data, or checking whether it complied with Android or iOS platform policies, despite
`
`
`OpenX personnel raising these issues as privacy concerns.
`
`
`OPENX’S BUSINESS PRACTICES REGARDING COLLECTION OF
`
`INFORMATION FROM CHILD-DIRECTED PROPERTIES
`
`
`
`
`46. COPPA sets forth requirements for any operator of a Web site or online
`
`
`service directed to children and any operator that has actual knowledge that it is
`
`
`collecting or maintaining personal information from a child under 13 years of age.
`
`
`16 C.F.R. § 312.3. As described in Paragraphs 47 to 56, OpenX has actual
`
`
`knowledge that it collects personal information, including location information and
`
`
`persistent identifiers, from users of Web sites and Apps directed to children under 13
`
`
`years of age.
`
`
`47. OpenX’s traffic quality team is tasked with conducting a human review
`
`
`of every Web site or App that sends ad requests to its Ad Exchange. This review is
`
`
`intended to identify restricted content (e.g., pornography, online gambling, and
`
`extreme violence), categorize the property by subject matter or content (e.g.,
`- 9 -
`
`
`
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 10 of 16 Page ID #:10
`
`
`
`“Finance,” “News & Magazines,” or “Sports”), and determine whether the property
`
`
`is child-directed, among other goals.
`
`
`48. To determine whether a property is child-directed, the traffic quality
`
`
`analysts are responsible for thoroughly reviewing the Web sites and Apps, including
`
`
`the App store pages, against numerous criteria, much of which is adopted from the
`
`
`COPPA Rule.
`
`
`49. According to OpenX policy, the traffic quality analysts must flag Apps
`
`
`directed to children to be banned from participating in the Ad Exchange, unless an
`
`
`exception can be verified with management.
`
`
`50. Notwithstanding OpenX’s policies and procedures, hundreds of child-
`
`
`directed Apps that OpenX reviewed were not flagged as child-directed and have
`
`
`
`participated in the OpenX Ad Exchange. OpenX had actual knowledge that these
`
`
`Apps were child-directed based on its human review of the Apps. The Apps for
`
`
`which OpenX processed requests include obvious references to children in the App
`
`
`name and developer name. The names of the Apps include terms such as “for
`
`
`toddlers,” “for kids,” “kids games,” “preschool learning,” “kindergarten,” etc.
`
`
`Moreover, the App store pages included graphics from and descriptions of the Apps
`
`
`that reinforced that they were designed for kids, and listed age ratings of the Apps
`
`
`showing they were appropriate for children under the age of 13.
`
`
`51. OpenX has received millions, if not billions, of ad requests directly or
`
`
`indirectly from child-directed Apps, and transmitted millions, if not billions, of bid
`
`
`requests containing personal information of children to OpenX’s demand-side
`
`
`partners. These requests included location information and persistent identifiers used
`
`
`for online behavioral advertising.
`
`
`52. OpenX has taken no steps to obtain verified parental consent or provide
`
`
`the requisite notices prescribed by COPPA.
`
`
`53. Further, OpenX’s instructions to its traffic quality analysts narrowly
`
`defined child-directed properties to only those “primarily” directed to children,
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 10 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 11 of 16 Page ID #:11
`
`
`
`thereby excluding from the definition of child-directed many Web sites and Apps
`
`
`that target children as one of their audiences. Doing so resulted in OpenX collecting
`
`
`and maintaining personal information from Web sites and Apps that are child-
`
`
`directed, in violation of the COPPA Rule. If the Web site and Apps were not
`
`
`identified as child-directed, the personal information collected from those sites could
`
`
`have been used to facilitate targeted advertising.
`
`
`54. Notwithstanding OpenX’s collection, use, and disclosure of personal
`
`
`information from child-directed properties, OpenX has stated that it does not engage
`
`
`in activities that require parental notice or consent under COPPA. For example, its
`
`
`privacy policy states:
`
`Children’s Online Privacy Protection Act Notice.
`
`
`
`
`OpenX does not engage in activities that require parental notice
`
`or consent under the Children’s Online Privacy Protection Act
`
`(COPPA). If you believe that OpenX has inadvertently
`
`collected information from a child under 13 that is subject to
`
`parental notice and consent under COPPA, please contact
`
`OpenX using the contact information below to request deletion
`
`of the information.
`
`
`
`
`55.
`In its Data Privacy and Information Security Frequently Asked
`
`
`Questions, OpenX also stated that it has an internal COPPA policy that identifies
`
`
`child-directed properties and places a COPPA flag for inventory from those
`
`
`properties.
`
`
`56. This statement, however, does not accurately characterize OpenX’s
`
`
`COPPA practices. OpenX does not identify all child-directed properties nor does it
`
`
`add a COPPA flag to all inventory coming from child-directed properties. Without
`
`
`the COPPA flag to indicate that the inventory is child-directed, OpenX’s demand-
`
`
`side partners have served targeted ads to the users of those child-directed Web sites
`
`
`and Apps.
`
`
`
`
`
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 11 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 12 of 16 Page ID #:12
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`OPENX’S VIOLATIONS OF THE FTC ACT
`
`
`
`COUNT I: Deception – OpenX Has Misrepresented Its Data Collection
`
`
`Practices, and Collected Consumer Location Data When the Consumer Had Not
`
`Provided Consent or Had Expressly Denied Consent
`
`
`
`
`57. As provided in Paragraphs 34 and 35, OpenX represented, directly or
`
`
`indirectly, expressly or by implication, that consumers can opt out of OpenX’s
`
`
`collection, use, and transfer of precise location data by using the location services
`
`
`controls in their mobile device settings or by denying consent when prompted by a
`
`
`permission dialog box.
`
`
`58.
`In fact, as described in Paragraphs 36 to 45, consumers could not opt out
`
`
`of OpenX’s collection, use, and transfer of precise location data by using the location
`
`
`
`services controls in their mobile device settings or by using the permission dialog
`
`
`box within the App. OpenX collected and transferred the BSSID even if the
`
`
`consumer had not provided consent or had expressly denied permission to collect
`
`
`location data.
`
`
`59. Therefore, the representations referred to in Paragraph 57 were false or
`
`
`misleading, and constitute a deceptive act or practice in violation of Section 5(a) of
`
`
`the FTC Act, 15 U.S.C. § 45(a).
`
`
`COUNT II: Deception – OpenX Has Misrepresented Its
`
`COPPA Activities and Practices
`
`
`
`
`60. As provided in Paragraph 54, OpenX represented, directly or indirectly,
`
`
`expressly or by implication, that it does not engage in activities that require parental
`
`
`notice or consent under COPPA. As provided in Paragraph 55, OpenX also
`
`
`represented, directly or indirectly, expressly or by implication, that it identifies all
`
`
`child-directed properties and includes a COPPA flag to identify inventory from those
`
`
`properties.
`
`
`61.
`In fact, as provided in Paragraphs 12 to 23 and 46 to 56, OpenX does
`
`engage in activities that require parental notice and consent under COPPA.
`- 12 -
`
`
`
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 13 of 16 Page ID #:13
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Moreover, OpenX does not identify all child-directed properties, nor does it include a
`
`
`COPPA flag in bid requests to identify all child-directed inventory.
`
`
`62. Therefore, the representations referred to in Paragraph 60 were false or
`
`
`misleading, and constitute a deceptive act or practice in violation of Section 5(a) of
`
`
`the FTC Act, 15 U.S.C. § 45(a).
`
`
`OPENX’S VIOLATIONS OF THE COPPA RULE
`
`
`
`COUNT III: COPPA – OpenX Has Collected Personal Information
`
`
`from Users of Child-Directed Properties
`
`Without Consent and Proper Notice
`
`
`
`
`63. Pursuant to the COPPA Rule, 16 C.F.R. § 312.3, any operator of a Web
`
`
`site or online service directed to children, or any operator that has actual knowledge
`
`
`
`that it is collecting or maintaining personal information from a child, is required to
`
`
`collect information from children in a COPPA-compliant manner. Those
`
`
`requirements include providing proper notice and obtaining parental consent before
`
`
`collecting, using, and disclosing personal information from children. As described in
`
`
`Paragraphs 12 to 23 and 46 to 56, OpenX is an operator of an online service directed
`
`
`to children because it is an operator of an online service with actual knowledge that it
`
`
`is collecting personal information directly from users of another Web site or online
`
`
`service directed to children.
`
`
`64.
`In connection with operating its Ad Exchange and selling ad inventory,
`
`
`OpenX collected, used, and disclosed personal information from users of Web sites
`
`
`or online services directed to children. OpenX collects personal information,
`
`
`including location information and persistent identifiers, in ad requests from users of
`
`
`child-directed Web sites and Apps participating in its Ad Exchange and transmits
`
`
`that information in bid requests to its demand-side partners for use in online
`
`
`behavioral advertising.
`
`
`65.
`In numerous instances, in connection with the acts and practices
`
`described above, OpenX collected, used, and/or disclosed personal information from
`- 13 -
`
`
`
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 14 of 16 Page ID #:14
`
`
`
`children in violation of the Rule, including by:
`
`
`a. Failing to provide sufficient notice on its Web site or online service
`
`
`of the information it collects, or is collected on its behalf, online
`
`
`from children, how it uses such information, its disclosure practices,
`
`
`and all other required content, in violation of Section 312.4(d) of the
`
`
`Rule, 16 C.F.R. § 312.4(d);
`
`
`b. Failing to provide direct notice to parents of the information it
`
`
`collects, or information collected on its behalf, online from children,
`
`
`how it uses such information, its disclosure practices, and all other
`
`
`required content, in violation of Sections 312.4(b) and (c) of the
`
`
`Rule, 16 C.F.R. § 312.4(b)-(c); and
`
`
`
`c. Failing to obtain verifiable parental consent before any collection or
`
`
`use of personal information from children, in violation of Section
`
`
`312.5 of the Rule, 16 C.F.R. § 312.5.
`
`
`66. Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and
`
`
`Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57(a)(d)(3), a violation of the Rule
`
`
`constitutes an unfair or deceptive act or practice in or affecting commerce, in
`
`
`violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
`
`
`67. OpenX violated the COPPA Rule as described above with the
`
`
`knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A).
`
`
`68. Each collection, use, or disclosure of a child’s personal information in
`
`
`which OpenX violated the Rule in one or more of the ways described above,
`
`
`constitutes a separate violation for which Plaintiff may seek monetary penalties.
`
`
`69. Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), as
`
`
`modified by Section 4 of the Federal Civil Penalties Inflation Adjustment Act of
`
`
`1990, 28 U.S.C. § 2461, the Federal Civil Penalties Inflation Adjustment Act
`
`
`Improvements Act of 2015, Public Law 114-74, sec. 701, 129 Stat. 599 (2015), and
`
`Section 1.98(d) of the FTC’s Rules of Practice, 16 C.F.R. § 1.98(d), authorizes this
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 14 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 15 of 16 Page ID #:15
`
`
`
` Respectfully Submitted,
`
`
`
`Court to award monetary civil penalties of not more than $43,280 for each such
`
`
`violation of the Rule on or after January 14, 2020.
`
`
`CONSUMER INJURY
`
`
`70. Consumers are suffering, have suffered, and will continue to suffer
`
`
`substantial injury as a result of OpenX’s violations of the FTC Act and the COPPA
`
`
`Rule. Absent injunctive relief by this Court, OpenX is likely to continue to injure
`
`
`consumers and harm the public interest.
`
`
`PRAYER
`
`
`WHEREFORE, Plaintiff United States of America requests that the Court:
`
`
`A.
`Enter a permanent injunction to prevent future violations of the FTC Act
`
`
`by OpenX with respect to the privacy of consumers’ personal information;
`
`
`
`B.
`Enter a permanent injunction to prevent future violations of the COPPA
`
`
`Rule by OpenX;
`
`
`C. Award Plaintiff monetary civil penalties from OpenX for each violation
`
`
`of the COPPA Rule alleged in this Complaint; and
`
`
`D. Award any additional relief as the Court determines to be just and
`
`
`proper.
`
`
`
`
` Dated: December 15, 2021
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FOR THE FEDERAL TRADE
`COMMISSION:
`
`ALDEN F. ABBOTT
`General Counsel
`
`KRISTIN COHEN
`Acting Associate Director
`Division of Privacy & Identity
`Protection
`
`
`
`FOR THE UNITED STATES OF
`AMERICA:
`
`BRIAN M. BOYNTON
`Acting Assistant Attorney General
`Civil Division
`
`ARUN G. RAO
`Deputy Assistant Attorney General
`
`GUSTAV W. EYLER
`Director, Consumer Protection Branch
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`- 15 -
`
`
`
`
`Case 2:21-cv-09693 Document 1 Filed 12/15/21 Page 16 of 16 Page ID #:16
`
`MARK EICHORN
`Assistant Director
`Division of Privacy and Identity
`Protection
`
`
`SARAH CHOI
`KEVIN MORIARTY
`Attorneys
`Division of Privacy & Identity
`Protection
`
`
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`LISA K. HSIAO
`As